Reflected XSS vulnerability in OPAC browse results
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.10 |
Fix Released
|
High
|
Unassigned | ||
3.11 |
Fix Released
|
High
|
Unassigned | ||
3.12 |
Fix Released
|
High
|
Unassigned |
Bug Description
Earlier this month we received a warning that our demo installation (which was on 3.11.1 back then) had the following vulnarability. A couple of days later, we upgraded to 3.13.0 but it seems that the vulnarability has not been resolved by the upgrade. Anyway, per https:/
> ---- Předaná zpráva od "UT Information Security Office"
> <email address hidden> ---
> Od: "UT Information Security Office" <email address hidden>
> Komu: <email address hidden>
> Předmět: [cuni #10874] [ISOTicket:4759825] UT/ISO -- Verified Vulnerable
> Web Page [195.113.63.104 - cuni.cz]
> Datum: 10/06/2024 12:28:09
>
> =======
> The following alert is the product of the Dorkbot service
> created by UT Austin.
> =======
>
> The Information Security Office at the University of Texas at Austin
> has found the following web page to be vulnerable to a high-risk application
> attack:
>
> HOST: 195.113.63.104 [evergreendemo.
> HOST: N/A
> DATE: 2024-06-10 00:29:25 CST/CDT
>
> GET:
> https:/
>
> ATTACK DETAILS:
> This page is vulnerable to Cross-site scripting attacks.
>
> Cross-site scripting attacks, in general, are an issue because
> they are enabling attacks. Specially-crafted malicious URLs can
> steal authentication tokens/cookies when a logged-in user visits them,
> giving the attacker full access to that user's account in the application.
> Reflected XSS attacks, in particular, are a concern as they can be used to
> socially engineer a user into clicking on what appears to be a
> legitimate URL.
>
> ** Please note that the Dorkbot service will re-check this page in the next
> 30-days to help verify remediation for you. **
>
> Please also consider the following:
>
> - Web application security testing should be performed regularly,
> especially for any public web applications. This includes
> tracking application inventory, general code review and vulnerability
> assessments using web application security testing tools.
>
> - All input received by the web server should be checked before
> it is processed. The best method is to remove all unwanted input and
> accept only expected input. For example, ensure angle brackets are
> not allowed in any input to any Web page fields. Additionally, no
> syntactic input should be allowed. Syntactic input can come from
> databases, other servers, etc. All input into a Web application must
> be filtered to ensure the delivery of clean content to individuals using
> your service.
>
> - Other References:
>
> OWASP Top 10 Proactive Controls
> https:/
>
> OWASP Guide to Building Secure Web Applications and Web Services
> https:/
>
> Please let us know if you believe any of this information to be inaccurate
> so that we can be of better service in the future.
>
> We hope this information is helpful.
>
> Information Security Office
> The University of Texas at Austin
> <email address hidden>
> http://
> =======
Changed in evergreen: | |
milestone: | none → 3.13.1 |
summary: |
- Security bug in the Evergreen OPAC + Reflected XSS vulnerability in OPAC browse results |
Changed in evergreen: | |
status: | Confirmed → Fix Released |
information type: | Private Security → Public Security |
Thanks, Linda. Confirmed. I was also able to inject javascript through the simpler URL: /eg/opac/ browse? blimit= "/><script> alert(' BAD')</ script>